Commit c9745b96 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Matevz Golob

caddy-frontend: Protect against malformed ssl_proxy_ca_crt

parent 4e8f0114
......@@ -26,7 +26,7 @@ md5sum = a0edf88cdb73807b0a4793b9fd356199
[template-apache-replicate]
filename = instance-apache-replicate.cfg.in
md5sum = d62aefe002ec13875924e4c219914795
md5sum = ef06c04a5aa33b103dc1d25d0dfe8217
[template-slave-list]
filename = templates/apache-custom-slave-list.cfg.in
......
......@@ -133,6 +133,14 @@ context =
{% do slave_error_list.append('slave https-url %r invalid' % (slave['https-url'],)) %}
{% endif %}
{% endif %}
{% set ssl_proxy_ca_crt = slave.get('ssl_proxy_ca_crt') %}
{% if ssl_proxy_ca_crt %}
{% set check_popen = popen([parameter_dict['openssl'], 'x509', '-noout']) %}
{% do check_popen.communicate(ssl_proxy_ca_crt) %}
{% if check_popen.returncode != 0 %}
{% do slave_error_list.append('ssl_proxy_ca_crt is invalid') %}
{% endif %}
{% endif %}
{# BBB: SlapOS Master non-zero knowledge BEGIN #}
{% for key in ['ssl_key', 'ssl_crt', 'ssl_ca_crt'] %}
{% if key in slave %}
......
......@@ -1012,6 +1012,11 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
'ssl-proxy-verify': True,
'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
},
'ssl-proxy-verify_ssl_proxy_ca_crt_damaged': {
'url': cls.backend_https_url,
'ssl-proxy-verify': True,
'ssl_proxy_ca_crt': 'damaged',
},
'ssl-proxy-verify_ssl_proxy_ca_crt-unverified': {
'url': cls.backend_https_url,
'ssl-proxy-verify': True,
......@@ -1238,13 +1243,15 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
'monitor-base-url': None,
'domain': 'example.com',
'accepted-slave-amount': '48',
'rejected-slave-amount': '4',
'slave-amount': '52',
'rejected-slave-amount': '5',
'slave-amount': '53',
'rejected-slave-dict': {
"_apache_custom_http_s-rejected": ["slave not authorized"],
"_caddy_custom_http_s": ["slave not authorized"],
"_caddy_custom_http_s-rejected": ["slave not authorized"],
"_type-eventsource": ["type:eventsource is not implemented"]
"_type-eventsource": ["type:eventsource is not implemented"],
"_ssl-proxy-verify_ssl_proxy_ca_crt_damaged": [
"ssl_proxy_ca_crt is invalid"]
}
}
......@@ -2436,6 +2443,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
result_http.headers['Set-Cookie']
)
def test_ssl_proxy_verify_ssl_proxy_ca_crt_damaged(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'ssl-proxy-verify_ssl_proxy_ca_crt_damaged']
self.assertEqual(
{'request-error-list': '["ssl_proxy_ca_crt is invalid"]'},
parameter_dict
)
def test_ssl_proxy_verify_unverified(self):
parameter_dict = self.assertSlaveBase('ssl-proxy-verify-unverified')
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment